Периодически сталкиваюсь с устареванием GPG ключа которым подписывается APT репозитарий google-cloud-sdk. Ошибка выглядит так:
Err:9 https://packages.cloud.google.com/apt cloud-sdk InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05 Fetched 6,361 B in 1s (4,349 B/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 27 packages can be upgraded. Run 'apt list --upgradable' to see them. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt cloud-sdk InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05 W: Failed to fetch https://packages.cloud.google.com/apt/dists/cloud-sdk/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05 W: Some index files failed to download. They have been ignored, or old ones used instead.
Судя по выводу GPG старый ключ (7F92E05B31093BEF5A3C2D38FEEA9169307EA071) истёк еще в начале марта
$ gpg /usr/share/keyrings/cloud.google.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2021-03-01 [SC] [expired: 2023-03-02]
7F92E05B31093BEF5A3C2D38FEEA9169307EA071
uid Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)
sub rsa2048 2021-03-01 [E] [expired: never ]
pub rsa2048 2020-12-04 [SC] [expired: 2022-12-04]
59FE0256827269DC81578F928B57C5C2836F4BEB
uid gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sub rsa2048 2020-12-04 [E] [expired: never ]
Решение простое - скачать новый ключ и запустить
apt update снова (установка google-cloud-sdk описана тут)
$ curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
Проверяю какой срок действия у нового ключа
$ gpg /usr/share/keyrings/cloud.google.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2021-03-01 [SC] [expired: 2023-03-02]
7F92E05B31093BEF5A3C2D38FEEA9169307EA071
uid Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)
sub rsa2048 2021-03-01 [E] [expired: never ]
pub rsa2048 2020-12-04 [SC] [expired: 2022-12-04]
59FE0256827269DC81578F928B57C5C2836F4BEB
uid gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sub rsa2048 2020-12-04 [E] [expired: never ]
pub rsa2048 2022-05-21 [SC]
A362B822F6DEDC652817EA46B53DC80D13EDEF05
uid Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub rsa2048 2022-05-21 [E]
Похоже что в этот раз Google решили не задавать expiration для нового ключа (A362B822F6DEDC652817EA46B53DC80D13EDEF05). На всякий случай проверю есть ли "keyring" пакет, который будет автоматически обновлять этот ключ
$ aptitude -F '%p' search 'keyring ?origin(cloud-sdk)'
Поиск ничего не дал и это значит что Google не предоставляет "keyring" пакет для автоматической ротации. Для сравнения как это выглядит если искать в debian
$ aptitude -F '%p' search 'keyring ?origin(debian)' archlinux-keyring debian-archive-keyring debian-keyring debian-ports-archive-keyring elbe-archive-keyring fasttrack-archive-keyring gnome-keyring gnome-keyring-pkcs11 keyringer leap-archive-keyring libpam-gnome-keyring mercurial-keyring neurodebian-archive-keyring pidgin-gnome-keyring python3-keyring python3-keyrings.alt sq-keyring-linter
Комментариев нет:
Отправить комментарий